Kubernetes cluster internally uses a set of certificates for secure communication. Every certificate has an expiry date and it need to be renewed periodically.

The Kubernetes will take care of the renewal operation. We can also trigger the renewal of the certificate.

Step 1: Check the certificate details

The first thing we need to check is the expiry details of the certificate. The command to check the expiry details of the certificate is given below.

kubeadm alpha certs check-expiration

You can check the response and verify the certificate expiry details.

Step 2: Back up the configurations and certificates

It is very important to back up the current configurations and certificates before performing any modifications.

mkdir -p $HOME/backup/k8-conf
mkdir -p ~/backup/k8-conf-cert
mkdir -p ~/backup/k8-certs

cp -r /etc/kubernetes/*.conf $HOME/backup/k8-conf/
cp -r /etc/kubernetes/pki/ $HOME/backup/k8-conf-cert/
cp -r /var/lib/kubelet/pki/* $HOME/backup/k8-certs

Step 3: Renew the certificates

Now we can renew the certificates by executing the following command.

kubeadm alpha certs renew all

This command will complete the execution quickly. A Sample output is given below.

Step 4: Verify the renewed certificates

The last step is to verify the renewed certificates. The command to verify the certificate is already explained in step 1.

kubeadm alpha certs check-expiration

This command will show the updated expiry dates after the renewal.

Also test some kubectl commands to ensure the communication is happening properly.

Some simple commands for testing kubectl are given below.

kubectl get nodes

kubectl get pods --all-namespaces